Properly handle prompt=none

author: Nikos Sklikas <nsklikas@admin.grnet.gr> 2021-04-27 10:08:41 +0300
committer: Asif Saif Uddin <auvipy@gmail.com> 2021-05-01 14:12:17 +0600
commit: 2f1d7d8e357b307b3d5f41006d2b0a0698e40e63 (patch)
tree: 95d15b044f1bd156fbc2f15b25228d06bc542180 /tests
parent: b69fa53fd836dc559aa7fcd78ce075bcbe361629 (diff)
download: oauthlib-2f1d7d8e357b307b3d5f41006d2b0a0698e40e63.tar.gz
2 files changed, 90 insertions, 15 deletions
diff --git a/tests/openid/connect/core/grant_types/test_authorization_code.py b/tests/openid/connect/core/grant_types/test_authorization_code.py
index 91e24b3..f19b5fa 100644
--- a/tests/openid/connect/core/grant_types/test_authorization_code.py
+++ b/tests/openid/connect/core/grant_types/test_authorization_code.py
@@ -3,11 +3,13 @@ import json
 from unittest import mock
 
 from oauthlib.common import Request
+from oauthlib.oauth2.rfc6749.errors import (
+    ConsentRequired, InvalidRequestError, LoginRequired,
+)
 from oauthlib.oauth2.rfc6749.tokens import BearerToken
 from oauthlib.openid.connect.core.grant_types.authorization_code import (
     AuthorizationCodeGrant,
 )
-from oauthlib.openid.connect.core.grant_types.exceptions import OIDCNoPrompt
 
 from tests.oauth2.rfc6749.grant_types.test_authorization_code import (
     AuthorizationCodeGrantTest,
@@ -77,11 +79,7 @@ class OpenIDAuthCodeTest(TestCase):
     @mock.patch('oauthlib.common.generate_token')
     def test_no_prompt_authorization(self, generate_token):
         generate_token.return_value = 'abc'
-        scope, info = self.auth.validate_authorization_request(self.request)
         self.request.prompt = 'none'
-        self.assertRaises(OIDCNoPrompt,
-                          self.auth.validate_authorization_request,
-                          self.request)
 
         bearer = BearerToken(self.mock_validator)
 
@@ -92,7 +90,7 @@ class OpenIDAuthCodeTest(TestCase):
         self.assertIsNone(b)
         self.assertEqual(s, 302)
 
-        # Test alernative response modes
+        # Test alternative response modes
         self.request.response_mode = 'fragment'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertURLEqual(h['Location'], self.url_fragment, parse_fragment=True)
@@ -100,20 +98,60 @@ class OpenIDAuthCodeTest(TestCase):
         # Ensure silent authentication and authorization is done
         self.mock_validator.validate_silent_login.return_value = False
         self.mock_validator.validate_silent_authorization.return_value = True
+        self.assertRaises(LoginRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=login_required', h['Location'])
 
         self.mock_validator.validate_silent_login.return_value = True
         self.mock_validator.validate_silent_authorization.return_value = False
+        self.assertRaises(ConsentRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=consent_required', h['Location'])
 
         # ID token hint must match logged in user
         self.mock_validator.validate_silent_authorization.return_value = True
         self.mock_validator.validate_user_match.return_value = False
+        self.assertRaises(LoginRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=login_required', h['Location'])
 
+    def test_none_multi_prompt(self):
+        bearer = BearerToken(self.mock_validator)
+
+        self.request.prompt = 'none login'
+        self.assertRaises(InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'none consent'
+        self.assertRaises(InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'none select_account'
+        self.assertRaises(InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'consent none login'
+        self.assertRaises(InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
     def set_scopes(self, client_id, code, client, request):
         request.scopes = self.request.scopes
         request.user = 'bob'
diff --git a/tests/openid/connect/core/grant_types/test_implicit.py b/tests/openid/connect/core/grant_types/test_implicit.py
index 80069ac..6c22e90 100644
--- a/tests/openid/connect/core/grant_types/test_implicit.py
+++ b/tests/openid/connect/core/grant_types/test_implicit.py
@@ -4,7 +4,6 @@ from unittest import mock
 from oauthlib.common import Request
 from oauthlib.oauth2.rfc6749 import errors
 from oauthlib.oauth2.rfc6749.tokens import BearerToken
-from oauthlib.openid.connect.core.grant_types.exceptions import OIDCNoPrompt
 from oauthlib.openid.connect.core.grant_types.implicit import ImplicitGrant
 
 from tests.oauth2.rfc6749.grant_types.test_implicit import ImplicitGrantTest
@@ -64,41 +63,79 @@ class OpenIDImplicitTest(TestCase):
     @mock.patch('oauthlib.common.generate_token')
     def test_no_prompt_authorization(self, generate_token):
         generate_token.return_value = 'abc'
-        scope, info = self.auth.validate_authorization_request(self.request)
         self.request.prompt = 'none'
-        self.assertRaises(OIDCNoPrompt,
-                          self.auth.validate_authorization_request,
-                          self.request)
 
         bearer = BearerToken(self.mock_validator)
+
+        self.request.response_mode = 'query'
         self.request.id_token_hint = 'me@email.com'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
-        self.assertURLEqual(h['Location'], self.url_fragment, parse_fragment=True)
+        self.assertURLEqual(h['Location'], self.url_query)
         self.assertIsNone(b)
         self.assertEqual(s, 302)
 
-        # Test alernative response modes
-        self.request.response_mode = 'query'
+        # Test alternative response modes
+        self.request.response_mode = 'fragment'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
-        self.assertURLEqual(h['Location'], self.url_query)
+        self.assertURLEqual(h['Location'], self.url_fragment, parse_fragment=True)
 
         # Ensure silent authentication and authorization is done
         self.mock_validator.validate_silent_login.return_value = False
         self.mock_validator.validate_silent_authorization.return_value = True
+        self.assertRaises(errors.LoginRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=login_required', h['Location'])
 
         self.mock_validator.validate_silent_login.return_value = True
         self.mock_validator.validate_silent_authorization.return_value = False
+        self.assertRaises(errors.ConsentRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=consent_required', h['Location'])
 
         # ID token hint must match logged in user
         self.mock_validator.validate_silent_authorization.return_value = True
         self.mock_validator.validate_user_match.return_value = False
+        self.assertRaises(errors.LoginRequired,
+                          self.auth.validate_authorization_request,
+                          self.request)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertIn('error=login_required', h['Location'])
 
+    def test_none_multi_prompt(self):
+        bearer = BearerToken(self.mock_validator)
+
+        self.request.prompt = 'none login'
+        self.assertRaises(errors.InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'none consent'
+        self.assertRaises(errors.InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'none select_account'
+        self.assertRaises(errors.InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
+        self.request.prompt = 'consent none login'
+        self.assertRaises(errors.InvalidRequestError,
+                          self.auth.validate_authorization_request,
+                          self.request)
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertIn('error=invalid_request', h['Location'])
+
     @mock.patch('oauthlib.common.generate_token')
     def test_required_nonce(self, generate_token):
         generate_token.return_value = 'abc'
author	Nikos Sklikas <nsklikas@admin.grnet.gr>	2021-04-27 10:08:41 +0300
committer	Asif Saif Uddin <auvipy@gmail.com>	2021-05-01 14:12:17 +0600
commit	2f1d7d8e357b307b3d5f41006d2b0a0698e40e63 (patch)
tree	95d15b044f1bd156fbc2f15b25228d06bc542180 /tests
parent	b69fa53fd836dc559aa7fcd78ce075bcbe361629 (diff)
download	oauthlib-2f1d7d8e357b307b3d5f41006d2b0a0698e40e63.tar.gz